New NERC-CIP Security Standards: Focus on Supply Chain Risks

On July 21, 2016 the North American Electric Regulatory Commission (NERC) was givena directive to develop new risk management standards aimed at addressing risks to the information systems in the supply chain of electric system assets. The new standards will cover risks related to remote vendor access, software integrity and authenticity, vendor risk management, procurement controls, and more.

The Federal Energy Regulatory Commission (FERC) issued the new directive to NERC and they also issued aNotice of Inquiry (NOI) to collect input from the public about the protection of highly-sensitive control centers that monitor and control the bulk electric system in real-time. This NOI showed particular interest in remote vendor access and application whitelisting, and referred to the recent successful attack on the Ukraine power grid as an example of the risks that need to be addressed in the current Critical Infrastructure Protection (CIP) standards.

Advanced malware has been increasingly threatening Industrial Control Systems (ICS) in the energy industry in several recent incidents, including the well-studied Ukraine power grid attack and a recent attack on the Gundremmingen nuclear power plant. A highly-destructive type of malware known as ransomware has also recently impacted facilities like the Lansing Board of Water and Light (BWL) in Michigan.

Ransomware is a particularly dangerous and relatively new threat to ICS systems. A report from The Institute for Critical Infrastructure Technology (ICIT) emphasizes the risk: “if a SCADA or ICS system in an energy, utilities or manufacturing organization becomes infected with ransomware, then lives could be jeopardized in the time it takes to investigate the incident and return the systems to operation.” The report identifies endpoint security solutions as essential to preventing ransomware attacks, stating, “without an adequate investment in bleeding edge endpoint security solutions, ransomware will likely cause more significant harm much sooner.”

Both of the new initiatives to continue to develop the NERC-CIP standards and to gain valuable insight from experts in the industry are important steps in securing the systems that monitor and control the generation and transmission of North America’s power. Improving security standards for the communications that connect the system-critical power control centers to the outside world is crucial to reducing the ICS attack surface and mitigating future attacks on the power grid.

Industry experts are encouraged to submit comments to the FERC and support this initiative byreading the NOI here.Subscribe to CyberSheath’s blog for future important updates on NERC-CIP risks and solutions from our security professionals working in NERC-CIP regulated industries.